I think react-router-dom is actually an "optional peer dependency" (not an optional dependency)

• https://docs.npmjs.com/cli/v10/configuring-npm/package-json#peerdependenciesmeta

Is there a minimum version of react-router-dom 6.x we should specify here?

I wanted to decouple okta-react from react-router.
See my comment: #274 (comment)
What if developer wants to use @remix-run/react router, or Next.js router, reach-router?
Then he would not want a react-router to be installed in node_modules.

I left react-router-dom in optionalDependencies just for legacy support of react-router 5

Understood, but a optional dependencies and a peer dependencies and a optional peer dependencies are not the same thing.

Optional dependency: A dependency that is may or may not be included (optional) to use a package. In the SIW we used to use a async library called fibers to improved the compile time of sass (https://github.com/okta/okta-signin-widget/pull/2863/files)

Peer dependency: A dependency which the application and library need a common version/instance of. For example okta-react need a common instance of React (and authjs). The application consuming okta-react needs React and okta-react needs React AND it needs to be the same "instance" of React

Optional Peer Dependency: Same as a peer dependency, however including the peer dependency is optional

Optional Peer Dependencies are defined as so:

"peerDependencies": {
    "@okta/okta-auth-js": "^7.x"
  },
  "peerDependenciesMeta": {
    "@okta/okta-auth-js": {
      "optional": true
    }
  },

I don't think this is needed (see package.json comment)

Can we export a react-router-6 bundle as well?

We could export a react-router-6 bundle with one component called like SecureOutlet that just renders <AuthRequired><Outlet /></AuthRequired>
Probably we should not name it SecureRoute as in RR5, because it's not a route.

Can you rename this variable, use is usually reversed for hooks in React

Renamed to usingFragmentForLoginCalback

Why is a ref needed here?

It's a safe way to eliminate Two custom restoreOriginalUri callbacks are detected warning issues.
When another instance of restoreOriginalUri is passed to Security, the effect would not be triggered.
Using empty dependencies array also works, but gives lint error after adding react-hooks/rules-of-hooks to ESlint config

Yes, but that linter is used to warn to you to the possibility of a memory leak, it does not mean there is one. It's correct to pass an empty array for this case (we only want the check to fire once on component mount)

The gen3 widget does this as well:
https://github.com/okta/okta-signin-widget/blob/master/src/v3/src/components/Widget/index.tsx#L147

I think it makes more sense to use await oktaAuth.isAuthenticated() here, rather than the authState

oktaAuth.isAuthenticated() can't be used for this purpose (purpose is to use support react-router's loader).
oktaAuth.isAuthenticated() will return promise that will immediately be resolved with true/false rather that actually waiting for auth state with isAuthenticated: true

(Maybe it's better to delete waitForAuthenticated util if it's confusing, and not support loader)

oktaAuth.isAuthenticated() will return promise that will immediately be resolved with true/false rather that actually waiting for auth state with isAuthenticated: true

I'm not sure I follow this. oktaAuth.isAuthenticated will attempt to read the tokens from the tokenManager and determine their validity (and attempt a renew) before resolving

Understood, but a optional dependencies and a peer dependencies and a optional peer dependencies are not the same thing.

Optional dependency: A dependency that is may or may not be included (optional) to use a package. In the SIW we used to use a async library called fibers to improved the compile time of sass (https://github.com/okta/okta-signin-widget/pull/2863/files)

Peer dependency: A dependency which the application and library need a common version/instance of. For example okta-react need a common instance of React (and authjs). The application consuming okta-react needs React and okta-react needs React AND it needs to be the same "instance" of React

Optional Peer Dependency: Same as a peer dependency, however including the peer dependency is optional

Optional Peer Dependencies are defined as so:

"peerDependencies": {
    "@okta/okta-auth-js": "^7.x"
  },
  "peerDependenciesMeta": {
    "@okta/okta-auth-js": {
      "optional": true
    }
  },

We can provide samples for HashRouters, but I don't think we need direct API support. I don't think it's worth adding complexity to the API

nit: can you flip this boolean, so the default case renders <Loader />

else if (authState?.isAuthentcated) {
  return <ReactRouterDom.Route {....routeProps } />
}
else {
  return Loading;
}

Yes, they will be similar, but I think the implementations will different slightly

Yes, but that linter is used to warn to you to the possibility of a memory leak, it does not mean there is one. It's correct to pass an empty array for this case (we only want the check to fire once on component mount)

The gen3 widget does this as well:
https://github.com/okta/okta-signin-widget/blob/master/src/v3/src/components/Widget/index.tsx#L147

oktaAuth.isAuthenticated() will return promise that will immediately be resolved with true/false rather that actually waiting for auth state with isAuthenticated: true

I'm not sure I follow this. oktaAuth.isAuthenticated will attempt to read the tokens from the tokenManager and determine their validity (and attempt a renew) before resolving

I like your idea of calling this SecureOutlet, let's forward this that

However this component should not render children and should instead return <Outlet />